About data and indexes

When you use Splunk, you are working with data in a Splunk index. In general, this manual assumes that a Splunk admin has already added data to your Splunk index. If this is the case, you can skip right to the "Search and investigate" chapter in this manual.

What types of data does Splunk index

Splunk can index any IT data from any source in real time. Point your servers or network devices' syslog at Splunk, set up WMI polling, monitor any live logfiles, enable change monitoring on your filesystem or the Windows registry, schedule a script to grab system metrics, and more. No matter how you get the data, or what format it's in, Splunk will index it the same way — without any specific parsers or adapters to write or maintain. It stores both the raw data and the rich index in an efficient, compressed, filesystem-based datastore — with optional data signing and auditing if you need to prove data integrity.

Ways to get data into Splunk

When adding data to Splunk, you have a variety of flexible input methods to choose from: Splunk Web, Splunk's CLI, and the inputs.conf configuration file.

You can add most data sources using Splunk Web. If you have access to the configuration files, you can use inputs.conf, which has more extensive configuration options. Any changes you make using Splunk Web or the Splunk CLI are written to inputs.conf.

Where does Splunk store the data

You'll notice that we use the term "index" to refer to a couple of different things. First and foremost, when Splunk indexes new data, it processes the raw data to make it searchable. Second, when we talk about Splunk indexes, we mean the data store where Splunk stores all or parts of the data. So, when you index new data, Splunk stores the data in indexes. Additionally, when you search, you're matching against data in one or multiple indexes.

Apps and inputs

When you add an input to Splunk, that input gets added relative to the app you're in. Some apps write input data to their specific index (for example, the Splunk App for Unix and Linux uses the 'os' index). If you're not finding data that you're certain is in Splunk, be sure that you're searching the right index.

For the Splunk user, this is all you need to know before you begin searching and learning more about your data. If you want to read more about managing the data in your indexes, see the "Manage indexes" chapter in the Admin manual.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »